Meteor's source code open to the clients?

Question

From a general glimpse of it, it seems that source code for Meteor app is open to the clients due to \'Write one Javascript file, run it on client and server at once\' theme.

Answer 1

The best way to secure a client-server app is by writing explicit security checks on the server, rather than hiding the database update logic from the client.

For a longer explanation of the security model, see https://stackoverflow.com/a/13334986/791538.

Answer 2

Any code in the server/ folder will not get sent to the client (see http://docs.meteor.com/#structuringyourapp)

EDIT

Regarding the second part:

Any code not in client/ or server/ is code you want to run both client and server side. So obviously it must be sent to the client.

The reason that you would place model code in there is because of latency compensation. If you want to make updates to your data, it's best to do it immediately client-side and then run the same code server side to 'commit' it for real. There are many examples where this would make sense.

If there is 'secret' model code that you don't want to run client side, you can certainly have a second server/models.js file.